Strict policy working?
Stephen Smalley
sds at tycho.nsa.gov
Thu Nov 30 21:25:18 UTC 2006
On Thu, 2006-11-30 at 21:10 +0100, Jimmy wrote:
> Does the strict policy work at all?
> Ive installed FC6 4 times on 2 different PCs, and after the default
> installation ive installed the strict policypackage and enabled it,
> relabeled the disk and rebooted it.
> X boots up, but i cant login. I get an error message, and looking
> deeper into it it says:
> "Xlib: connection to ":0.0" refused by server
> Xlib: no protocol specified
>
> xrdb: Can´t open display ':0'
> ...
> ..."
>
> When i switch off enforced (setenforce 0), it works fine. I have tried
> this with the latest policy and updates as well, and seriously
> starting to wonder if the policy really works "out of the box".
> The reason i want the strict policy is Fedoras own description of the
> strict policy:
>
> "Strict policy works best where you have a controlled userspace. For
> example, you can setup a security policy where your users are only
> allowed to use the Web browser to view files on the Internet and only
> allowed to download to certain directories. You could limit what
> applications the Web browser can launch to helper applications."
>
> This is exactly what i want to do, i want to be able to boot up a FC6
> on my Vmware machine, and start a firefox session and browse some
> stuff on the web in a secure way.
> Sooo... is the strict policy broken, or am i broken? ;)
Strict policy almost always requires some customization, and since it is
not the default, it has a much smaller user (and thus testing) base in
Fedora. Have you looked at the avc: denied messages in
your /var/log/messages file (before auditd starts) and
in /var/log/audit/audit.log (once auditd starts) to see the specific
denials? Have you tried using audit2allow(1)? Read the Fedora SELinux
FAQ?
http://fedora.redhat.com/docs/selinux-faq-fc5/#id2961385
--
Stephen Smalley
National Security Agency
More information about the fedora-selinux-list
mailing list